1 / 29

Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs

Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs. Lecturer: Moni Naor. Recap of last week’s lecture. Functions that are one-way one their iterates The one-time authentication problem The hash based protocol Strongly Universal Hash functions Definition and Constructions

wadcock
Télécharger la présentation

Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Foundations of CryptographyLecture 4: One-time Signatures, UOWHFs Lecturer:Moni Naor

  2. Recap of last week’s lecture • Functions that are one-way one their iterates • The one-time authentication problem • The hash based protocol • Strongly Universal Hash functions • Definition and Constructions • δ-Universal2hash functions • Their application in authentication • Polynomial Constructions • Composition and tree

  3. The authentication problem:computational public-key version • Alice would want to send a message m {0,1}n to Bob or to Charlie • Set-up phase is public • They want to prevent Eve from interfering • Bob should be sure that the message m’ he receives is equal to the message mAlice sent m Alice Bob Eve

  4. Specification of the Problem (old) Alice and Bob communicate through a channel Bob has an external register R N (no message) ⋃ {0,1}n Eve completely controls the channel Requirements: • Completeness: If Alice wants to send m {0,1}nand Eve does not interfere – Bob has value m in R • Soundness: If Alice wants to send m and Eve does interfere • R is either N or m (but not m’ ≠m) • If Alice does not want to send a message R is N Sincethis is a generalization of the identification problem – must use shared secrets and probability or complexity Probabilistic version: • for any behavior from Eve, for any message m {0,1}n, the probability that Bob is in state m’ ≠m or N is at mostε

  5. What about the public-key problem? • Recall: Bob and Charlie share the set-up phase information • Is it possible to satisfy the requirements: • Completeness: If Alice wants to send m {0,1}nand Eve does not interfere – Bob has value m in register R • Soundness: If Alice wants to send m and Eve and Charlie do interfere • R is either N or m (but not m’ ≠m) • Existential forgery • If Alice does not want to send a message R is N • Who chooses which m Alice will want to approve? • Adversary does. This is a chosen message attack • When ism’ chosen – might be after authentication on m seen • As before: complexity to the rescue

  6. A one-time public-key authentication Let f: {0,1}n → {0,1}n be a one-way function • Adversaries run times is bounded by polynomial time To sign/authenticate a single bit message • Setup phase: • Alice chooses arandom pair {x0, x1 {0,1}n } and • Computes y0 = f(x0) and y1 = f(x1) • Gives Bob and Charlie (y0 ,y1 ) • When Alice wants to approve m{0,1} – she sends (m,xm ) • If Bob gets any symbols on channel – call them (m,z); computes f(z) and compares to ym • If equal moves to state m • If not equal, moves permanently to state N • Why is it secure? • What about n–bit messages? • Alice prepares a set of n pairs and opens the appropriate ones • Since this is noninteractive, Bob can convince Charlie that Alice approved message m • Non repudiation from Alice

  7. Signing n–bit messages Public key f(x10) f(x11) f(x20) f(x21) f(xn0) f(xn1) Message 0 0 1 1 Lamport’s Scheme

  8. Security of the Scheme Theorem: If there is an Adversary A that • chooses a message m {0,1}n for Alice to legitimately authenticate • forges a message m’ ≠ m with probability at least ε Then there is an Adversary B that • can break the function f with probability at least ε/2n • operates in time roughly the same as A Proof:

  9. Size of the public key • The size of the public key • Let f: {0,1}k → {0,1}k be a one-way function • to be able to sign an n-bit message need 2nk bits of public key. • Preparing a public key takes • 2n evaluations of the one-way function and • 2nk bits of public key. Homework: Suggest a tradeoff with more evaluations but fewer bits in the public key. • Hint: you may assume that you have functions that are one-way on their iterates

  10. Regeneration • If we could get a smaller public-key could be able to regeneratesmaller and sign/authenticate an unbounded number of messages • What if you had three wishes…? • Idea: use hashing to compress the new public-key • What about universal hashing ? • Problem: both mand m’are chosen in advance in universal hashing • Must use computational hardness somewhere

  11. Possible definitions • A function g:{0,1}2n → {0,1}nwhere it is hard to find m’ ≠ m but g(m)=g(m’) • Problems: • not good for non-uniform models • hard to connect to other assumptions • Want a family of functions from which one is selected • Use the advantage we have: the target is known

  12. Possible definitions • A family of functions G={g|g:{0,1}n → {0,1}h(n)} Such that • Easy to sample g from G and g G has succinct description • Given (n, g, x) easy to compute g(x) • h(n) < n • Hard to find collisions: Alternative 1 – any collision • Given n and g G hard to find x, x’  {0,1}n where x ≠ x’ but g(x)=g(x’) • Sometimes called collision intractable • hard to connect to other assumptions Alternative 2 – target collision • Given (n,g,x) hard to find x’  {0,1}n where x ≠ x’ but g(x)=g(x’)

  13. Universal One-Way Hash functionsUOWHFs • When/how is the target x chosen? • Independently ofg but want to work for any possible x • Firstx is selected by adversary, theng G is selected at random • Technical point: let ℓ1 , ℓ2 :{0,1}* → {0,1}*be functions mapping n to input and output sizes. We assume • ℓ1 (n) > ℓ2 (n) and • both are bounded by polynomials in n Definition: A family of functions G= ⋃n=1∞Gn where Gn ={g|g:{0,1}ℓ1(n) →{0,1}}ℓ2(n)}is called (ℓ1 , ℓ2 )-universal one-way hash if: • Given n easy to sample randomg from Gnand g  Gn has description polynomial in n • Given (n, g, x) easy to compute g(x) • Hard to find target collisions: no polynomial time adversary can on input n • generate x  {0,1}ℓ1(n) • given a randomg  Gn find x’  {0,1}ℓ1(n) where x ≠ x’ but g(x) = g(x’) succeed with non-negligible probability for sufficiently large n

  14. Homework • Show that the existence of UOWHFs implies the existence of one-way functions • Show that there are family of UOWHFs of which are not collision intractable • Show that if the (n, βn)-subset sum assumption holds for β<1, then the corresponding subset function defines a family of UOWHFs • You may use the fact that for m=βn for most a1,a2 ,…,an {0,…2m -1} the distribution of T=∑ i S ai is close to uniform, when S is random.

  15. Composing UOWHFs Concatenation Let G be be a (ℓ1 , ℓ2 )- family of UOWHFs Consider the (2ℓ1 , 2ℓ2 )- family G’ where each g’  G’ is defined by a function gG and where g’(x1 ,x2) = g(x1 ), g(x2) Claim: the family above is (2ℓ1 , 2ℓ2 )- family of Universal One-way Hash functions Proof: let the adversary choose x1, x2 as the target and let x’1, x’2 be the colliding value • If x1≠ x’1 found a collision with x1 i.e. g(x1)=g(x’1) • If x2≠ x’2 found a collision with x2 i.e. g(x2)=g(x’2) • Guess which case b  {0,1}will occur • correct with probability ½ and • output xb as the target collision Running time – similar. Probability of success at least ½ of G’

  16. Composing UOWHFs ℓ1 Composition Let • G1 be a (ℓ1, ℓ2 )-family of UOWHFs • G2 be a (ℓ2, ℓ3)-family of UOWHFs Consider the family G which is a (ℓ1, ℓ3 )-family and where each g G is defined by g1G1 and g2 G2 g(x) = g2(g1(x)) Claim: the family above is a (ℓ1, ℓ3 )-family of UOWHFs Proof: the collision must occur either at the first hash function or the second hash function… ℓ2 ℓ3

  17. Composing UOWHFs ℓ1 Proof: • If collision in first phase more frequently Can break G1 • Use target x given by adversary as target for G1 • If collision in second phase occurs more frequently Can break G2 • Take target x given by adversary, choose g1R G1 and set z = g1(x) as target for G2 • Given g2 G2 give adversary g = g1, g2 • Key point: can choose the g1 in the target phase ℓ2 ℓ3

  18. The Tree Construction m g1 g2 g3 Let G be a (2k,k)-UOWHF Let n= 2 ∙l ∙ k. and t= log n/k.Eachgiis chosen independently fromG. The result is a family of functions{0,1}n → {0,1}kwhich is(n,k)-UOWHF Size of representation:t log |G| wheret is the number of levels in the tree

  19. Constructing (n, n-1)-UOWHFs • Idea: Combine one-way with universal • Want to match each image of the one-way functions with another random image • Let f :{0,1}n → {0,1}nbe a one-way permutation • Let H = {h|h:{0,1}n → {0,1}n} be a Strongly Universal2family • Let chopn-1 :{0,1}n → {0,1}n-1 be a 2-to-1 function Consider the (n, n-1)-family G where each g G is defined by hH g(x) = chopn-1(h(f(x)))

  20. Pair-wise independent permutations Definition: a family of permutations (1-1 functions) H= {h| h: {0,1}n → {0,1}n } is called Strongly Universal2or pair-wise independent if: • for allx1, x2 {0,1}nand y1, y2 {0,1}nwhere x1 ≠x2 and y1 ≠y2 we have Prob[h(x1) = y1 and h(x2) = y2 ] = 1/2n ∙ 1/(2n-1) Where the probability is over a randomly chosen hH The same as in truly random permutations In particular Prob[h(x2) = y2 | h(x1) = y1 ] = 1/(2n-1) Construction: let F be a finite field F (e.g. GF[2n]) H= {ha,b(x) = a∙x + b | a, b  F, a ≠0} New condition

  21. Constructing (n, n-1)-UOWHFs • Idea: Combine one-way with universal • Want to match each image of the one-way functions with another random image • Let f :{0,1}n → {0,1}nbe a one-way permutation • Let H = {h|h:{0,1}n → {0,1}n} be a Strongly Universal2family of permutations • Let chopn-1 :{0,1}n → {0,1}n-1 be a 2-to-1 function • E.g. chopping last bit of input Consider the (n, n-1)-family G where each g G is defined by hH g(x) = chopn-1(h(f(x)))

  22. Proof of Security y=f(z) Want to construct from algorithm A which is target collision finding for G an inversion algorithm B for f Algorithm B: • Input: y=f(z) to invert, • Run algorithm A to get target x • Find random h  H such that chopn-1(h(y))= chopn-1(h(f(x))) and give corresponding g as a challenge to A • Why does such an h exist and how to find it? • If A finds x’ such that g(x’)=g(x) then chopn-1(h(f(x))) = chopn-1(h(f(x’))) = chopn-1(h(y)) and y=f(x’) since h is 1-1 What is the probability of success of B? The same as the simulated collision algorithm A for G Claim: the probability the simulated algorithm A witnesses is the same as the realA B x A g x’ x’

  23. Why does such an h exist and how to find it?chopn-1(h(y))= chopn-1(h(f(x))) • Choose random w{0,1}n • let w’ be such that chopn-1(w)=chopn-1(w’) • Want h(y)=w and h(f(x))=w’ • Such an h should exist from pair-wise independence • Easy to find and unique for H= {ha,b(x) = a∙x + b | a, b  F, a ≠0} • Open problem(?): what happens to the security of the construction if H does not have the property

  24. Distribution of simulated A vs. real A The difference between the simulated and real A: • Real A gets g defined by random hH • Simulated A chooses x and gets g defined by • Choosing random z{0,1}n and computing y=f(z) • y is uniform in {0,1}n from f being a permutation • Choosing random w{0,1}n and finding random hH such that h(y)=w and h(f(x))=w’ • Since both random yand random w are random the result is a random hH Simulated A and real A witness the same distribution The probability that B inverts is the same as A finding a collision

  25. What about the reverse combination • Let f :{0,1}n → {0,1}nbe a one-way permutation • Let H = {h|h:{0,1}n → {0,1}n} be a Strongly Universal2family of permutations Consider the (n, n-1)-family G where each g G is defined by hH g(x) = chopn-1(f(h(x))) Is it a UOWHF? Not necessarily: if • h is easy to invert and • f does not affect the last bit • not contradictory to either being one-way or a permutation Then easy to find collisions: any x the that x’ collides under h will also collide under g

  26. From (n, n-1)-UOWHFs to (n, n/2)-UOWHFs • Idea: composition. • What happens to the security of the scheme? • The probability of inverting f given a collision finding algorithm for H may be small by a factor of 2/n

  27. Sources • Chapter on signatures in Goldreich’s Foundations of Cryptography, volume 2 • www.wisdom.weizmann.ac.il/~oded/foc-vol2.html • Papers: • Universal Hashing: • Carter & Wegman, Wegman and Carter, JCSS 1979, 1981 • UOWHF: Naor & Yung • www.wisdom.weizmann.ac.il/~naor/PAPERS/uowhf_abs.html

  28. Homework • Given ε,n what is the number of bits needed to specify an authentication scheme? • Bonus: Can interaction help? • Can the number of shared secret bits be smaller than in a unidirectional scheme • Can the number of shared bits depend on ε only?

  29. What about the public-key problem? • Recall: Bob and Charlie share the set-up phase information • Is it possible to satisfy the requirements: • Completeness: If Alice wants to send m {0,1}nand Eve does not interfere – Bob has value m in R • Soundness: If Alice wants to send m and Eve and Charlie do interfere • R is either N or m (but not m’ ≠m) • If Alice does not want to send a message R is N • Who chooses which m Alice will want to approve? • Adversary does. This is a chosen message attack • As before: complexity to the rescue

More Related